CVE-2021-34409
Summary
| CVE | CVE-2021-34409 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-09-27 14:15:00 UTC |
| Updated | 2022-10-06 18:10:00 UTC |
| Description | It was discovered that the installation packages of the Zoom Client for Meetings for MacOS (Standard and for IT Admin) installation before version 5.2.0, Zoom Client Plugin for Sharing iPhone/iPad before version 5.2.0, and Zoom Rooms for Conference before version 5.1.0, copy pre- and post- installation shell scripts to a user-writable directory. In the affected products listed below, a malicious actor with local access to a user's machine could use this flaw to potentially run arbitrary system commands in a higher privileged context during the installation process. |
Risk And Classification
Problem Types: CWE-732
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zoom | Meetings | All | All | All | All |
| Application | Zoom | Rooms | All | All | All | All |
| Application | Zoom | Screen Sharing | All | All | All | All |
| Application | Zoom | Screen Sharing | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CWE - CWE-379: Creation of Temporary File in Directory with Insecure Permissions (4.4) | MISC | cwe.mitre.org | |
| Security Bulletins | Zoom | CONFIRM | explore.zoom.us | |
| Security Bulletin | Zoom | MISC | explore.zoom.us | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Lockheed Martin Red Team
Legacy QID Mappings
- 377595 Zoom Client for Meetings Local Privilege Escalation Vulnerability (ZSB-21005)